elementalsouls · Ap6pack · Apr 27, 2026 · Apr 27, 2026 · Apr 27, 2026 · Apr 27, 2026
diff --git a/.gitignore b/.gitignore
@@ -23,6 +23,20 @@ secrets-found.*
 breach-data/
 stealer-logs/
 
+# Claude Code local config (contains operational/engagement details)
+CLAUDE.md
+
+# Engagement findings — contain real vuln details, credentials, internal infra
+findings/
+
+# Captured engagement artifacts
+refreshSession.js
+mcp-proxy.jar
+
+# Local-only skills (engagement/program specific)
+skills/hackerone/
+skills/report-template/
+
 # API keys / config that shouldn't ship
 .env
 .env.local

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,29 @@ and the project uses [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
 
+## [Unreleased]
+
+### `offensive-osint` — feat: HackerOne hacktivity reference agent (§29.3)
+
+- Added `skills/offensive-osint/scripts/h1_reference.py` — stdlib-only Python script (no API key required) that queries HackerOne's public GraphQL API for disclosed reports, surfacing community-validated findings during recon.
+- Supports: top-voted sort (community-validated techniques), top-bounty sort (business-impact framing), keyword search with cursor pagination (50 results/page), client-side severity and CWE filters, program-specific lookups, JSON output for piping.
+- Documents three empirically discovered H1 GraphQL server crashes worked around in the script: named variables + substate filter + report fields, `disclosed_at` field + substate filter, sort + substate filter + report fields.
+- Added §29.3 "HackerOne Disclosed Reports Reference" to `offensive-osint` with usage recipes for session-start baseline loading, tech-stack keyword search, pre-probe attack-class reference, and report-writing comparables.
+- Added trigger phrases: `hackerone reference`, `h1 hacktivity`, `disclosed reports`, `community bug reports`, `prior disclosures`, `bug bounty reference`.
+- Added smoke-test prompt #33.
+
+### `osint-methodology` — refactor: trimmed from 1,694 to 455 lines (v2.2)
+
+- Removed duplicate implementation content already covered by `offensive-osint` (§11–§15, §27–§29 original).
+- Compressed 9 implementation-detail sections (Identity Fabric, API, JS, Mobile, Cloud, WAF/CDN, Vuln Prioritization, Phishing) into a single §11 pointer block — each now a 2-sentence description + companion skill reference.
+- Collapsed §16–§21 (Cryptocurrency, Image/Video/Chronolocation, Threat Actor, People, Infrastructure OSINT, Automation, Synthetic Media) into a single §13 specialty domains section (~20 lines total).
+- Retained full methodology core: confidence levels + upgrade workflows (§2), 5-stage pipeline + priority order + time budgets (§7), asset graph taxonomy + triage rules (§8), severity rubric + escalation rules (§9), OpSec + detectability + back-off (§6), breach × identity correlation (§12), anti-patterns (§14).
+- Trimmed §30 Bug Bounty Submission (~90 lines → ~15) and §31 Client Deliverable Templates (~150 lines → ~20); retained essential structures (report skeleton, risk translation matrix).
+- Renumbered: §26 Anti-Patterns → §14; §30 Bug Bounty → §15; §31 Deliverables → §16; §32 Self-Test → §17; §33 Changelog → §18.
+- Updated skill self-test to 12 prompts aligned with new section numbers.
+
+---
+
 ## [2.1] — 2026-04-27
 
 Comprehensive expansion based on a 32-prompt smoke-test gap analysis. PASS rate moved from C-grade (1 PASS / 9 PARTIAL / 22 FAIL) to A-grade (31 PASS / 1 PARTIAL / 0 FAIL).

diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 # claude-osint
 
-> 2 paired Claude skills · **90+ recon modules** · 48 secret-regex patterns · 80+ dorks · 9 read-only credential validators · 27 attack-path templates · 5,500+ lines of structured tradecraft. Drop-in `SKILL.md` files that turn Claude into a god-mode external recon operator for authorized red-team and bug-bounty engagements.
+> 2 paired Claude skills · **90+ recon modules** · 48 secret-regex patterns · 80+ dorks · 9 read-only credential validators · 27 attack-path templates · 4,600+ lines of structured tradecraft. Drop-in `SKILL.md` files that turn Claude into a god-mode external recon operator for authorized red-team and bug-bounty engagements.
 
 Built by **[ElementalSoul](https://github.com/elementalsouls)** — GenAI Security Research.
 
@@ -12,12 +12,12 @@ Built by **[ElementalSoul](https://github.com/elementalsouls)** — GenAI Securi
 
 `claude-osint` is a paired set of skills for the [Claude skills system](https://docs.claude.com/en/docs/claude-code/skills). Each skill is a structured `SKILL.md` file that primes Claude with expert-level methodology for one half of the offensive recon problem:
 
-- **`osint-methodology`** — *how to think.* Strategic + procedural. Asset-graph discipline, severity rubric, time budgeting, identity-fabric mapping, deliverable templates.
-- **`offensive-osint`** — *what to reach for.* Tactical arsenal. Probe paths, regexes, payloads, scoring rules, curl one-liners, tool URLs.
+- **`osint-methodology`** - *how to think.* Strategic + procedural. Asset-graph discipline, severity rubric, time budgeting, identity-fabric mapping, deliverable templates.
+- **`offensive-osint`** - *what to reach for.* Tactical arsenal. Probe paths, regexes, payloads, scoring rules, curl one-liners, tool URLs.
 
 Drop both into your Claude environment and it behaves like a senior recon analyst: it knows the techniques, the tooling, the edge cases, and the escalation paths — and it stays in scope.
 
-~5,500 lines of structured tradecraft · 96.9% PASS on a 32-prompt self-evaluation · ~85–90% practitioner coverage for the recon phase of authorized engagements.
+~4,600 lines of structured tradecraft · 96.9% PASS on a 32-prompt self-evaluation · ~85–90% practitioner coverage for the recon phase of authorized engagements.
 
 ---
 
@@ -26,14 +26,15 @@ Drop both into your Claude environment and it behaves like a senior recon analys
 ```
 claude-osint/
 ├── skills/
-│   ├── osint-methodology/SKILL.md     # how to think  (1,694 lines)
+│   ├── osint-methodology/SKILL.md     # how to think  (455 lines)
 │   └── offensive-osint/
 │       ├── SKILL.md                   # what to reach for (4,168 lines)
-│       └── scripts/secret_scan.py     # stdlib-only secret scanner
+│       ├── scripts/secret_scan.py     # stdlib-only secret scanner
+│       └── scripts/h1_reference.py    # HackerOne disclosed-reports reference agent
 ├── docs/                              # architecture · coverage · install · usage
 ├── examples/                          # 4 end-to-end engagement walk-throughs
 ├── tests/smoke-test-prompts.md        # 32-prompt self-evaluation
-└── assets/banner.svg
+└── assets/banner.png
 ```
 
 Each skill directory is self-contained. Drop into `~/.claude/skills/` and Claude auto-triggers on relevant phrases.
@@ -105,6 +106,7 @@ Each skill directory is self-contained. Drop into `~/.claude/skills/` and Claude
 | 9 read-only credential validators (Postman / AWS / GitHub / Slack / Anthropic / OpenAI / npm / Atlassian / DataDog) | arsenal |
 | Post-discovery enumeration workflows (IAM enum · repo enum · workspace enum · JWT triage) | arsenal |
 | `secret_scan.py` runnable helper (stdlib-only, JSONL output) | arsenal |
+| `h1_reference.py` — HackerOne disclosed-reports reference agent (no API key, top-voted / top-bounty / keyword / program filter) | arsenal |
 | 80+ dork corpus across 9 categories | arsenal |
 
 ### Breach Intelligence
@@ -315,12 +317,22 @@ Both skills include a soft scope-check when you ask Claude to act against an unv
 
 ## About
 
-Operational tradecraft accumulated across external attack-surface engagements, codified into Claude skills. Engagement-platform agnostic — slot into any ASM / ticketing / asset-graph platform you already use, or none.
+Operational tradecraft accumulated across external attack-surface engagements, codified into Claude skills. Engagement-platform agnostic - slot into any ASM / ticketing / asset-graph platform you already use, or none.
 
 **Author:** [ElementalSoul](https://github.com/elementalsouls)
+
 **Original framework:** [SnailSploit/offensive-checklist](https://github.com/SnailSploit/offensive-checklist) (v1.x)
-**Inspired by:** [Bellingcat's Online Investigations Toolkit](https://www.bellingcat.com/resources/2024/09/24/bellingcat-online-investigations-toolkit/) · [IntelTechniques](https://inteltechniques.com/tools/) · [OSINT Framework](https://osintframework.com/)
-**Tool inventory:** [ProjectDiscovery](https://github.com/projectdiscovery) · [Six2dez reconftw](https://github.com/six2dez/reconftw) · [SecLists](https://github.com/danielmiessler/SecLists) · [Assetnote Wordlists](https://wordlists.assetnote.io/)
+
+**Inspired by:** [Bellingcat's Online Investigations Toolkit](https://www.bellingcat.com/resources/2024/09/24/bellingcat-online-investigations-toolkit/) 
+· [IntelTechniques](https://inteltechniques.com/tools/) 
+· [OSINT Framework](https://osintframework.com/)
+
+**Tool inventory:** 
+. [ProjectDiscovery](https://github.com/projectdiscovery) 
+· [Six2dez reconftw](https://github.com/six2dez/reconftw) 
+· [SecLists](https://github.com/danielmiessler/SecLists) 
+· [Assetnote Wordlists](https://wordlists.assetnote.io/)
+
 **License:** [MIT](LICENSE) — use freely, attribution appreciated.
 
 ---